Page 1 of 2
Mail delivery issues
Posted: 23 Oct 2007, 06:47
by innersphere
Hi,
I am getting some issues with mail delivery from my ISP. Certain messages are being rejected as follows:
450 <
jrabbat@horizonfcb.co.ae>: Sender address rejected: Domain not found
maildirserial: info: new/1192849121.8274.autoturn02,S=3529 failed temporarily: 381.374.353.319 said: 450 <
jrabbat@horizonfcb.co.ae>: Sender address rejected: Domain not found
To me (as a non-expert), this looks like the Bubba Postfix server is doing a reverse lookup on the domain to prevent spam and deferring messages to prevent them coming through. This in itself is not the issue however.
The ISP is saying that the 4xx codes are deferral codes, so their server will keep trying to send the messages. What they need is a 5xx code which is a rejection code - then their server will not continue to send the messages.
All I need to do is either let the messages through, or reject them properly, as I am getting quite a queue building up on what is effectively my Backup MX server.
Someone please help
Thanks,
Graeme
Posted: 23 Oct 2007, 09:16
by johannes
Hi!
Yes, postfix does some blacklist checks before letting the mail through, and this can be turned off if required. Edit /etc/postfix/main.cf and comment the lines about blacklist checks, at the end of the file. Do a postfix reload when you are done.
Hope it helps!
Posted: 23 Oct 2007, 09:17
by tor
Hi innersphere,
Could you try to remove the line saying:
near the end in the file
/etc/postfix/main.cf and tell postfix to reload its config
/Tor
Posted: 23 Oct 2007, 09:51
by innersphere
Thanks very much for your responses guys - greatly appreciated!
However - please bear in mind that I am a compete noob when it comes to this stuff.
I assume the file is somewhere on the Bubba and I have to edit it somehow (this much is obvious).
What is the easiest way to edit the file, and how do I backup the config in case I need to restore it at some point?
Thanks,
Graeme
Posted: 23 Oct 2007, 10:55
by Ubi
People, please do not do this.
First of all, the reject_unknown_sender_domain is *NOT* a blacklist. It is a syntax check to see if the message conforms to RFC 821. Please do not confuse your users by making these mistakes (reject_rbl_client dnsbl.sorbs.net is a call to a blacklist for example).
Postfix gives a 4xx here on purpose. The response is always 450 in case of a temporary DNS error. If the problem remains, the sending server gives up after x-many hours and return the message. By accepting mail from non-existing domains you just opened a floodgate for spammers.
If you *must* reject on first try, change this:
(This is the numerical Postfix SMTP server response code when a remote SMTP client request is rejected by the "defer" restriction. Do not change this unless you have a complete understanding of RFC 821.)
*
http://www.postfix.org/uce.html
*
http://www.postfix.org/postconf.5.html
Ubi
Posted: 24 Oct 2007, 05:00
by johannes
Ubi,
Thanks for educating us.
However, I don't see the problems with removing the blacklist checks (i.e. changing:
Code: Select all
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_unauth_pipelining
reject_invalid_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_rbl_client list.dsbl.org
reject_rbl_client relays.ordb.org
reject_rbl_client dnsbl.njabl.org
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client bl.spamcop.net
permit
to
Code: Select all
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_unauth_pipelining
reject_invalid_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_recipient_domain
# reject_rbl_client list.dsbl.org
# reject_rbl_client relays.ordb.org
# reject_rbl_client dnsbl.njabl.org
# reject_rbl_client dnsbl.sorbs.net
# reject_rbl_client bl.spamcop.net
permit
..if this is what causes the problem? Some of these lists have sometimes caused problems, filtering out ISP's mail servers, preventing loads of users from sending email.
innersphere,
To edit the file, do the following:
ssh to bubba, for instance using
Putty. Log on a your regular user, and then type su to become root. Password is 'excito'.
Type nano /etc/postfix/main.cf to edit the file. When you're done, save the file and type 'postfix reload'.
Done!
Posted: 24 Oct 2007, 06:01
by innersphere
Thanks Johannes & Ubi & Tor
The original suggestion was to remove the unknown domain, not the blacklists. I did test this, and of course it worked great!
But then I read Ubi's post and put it back - lol! The problem I have is that the email never leaves the ISP, as they are my Backup MX in case my connection or server is down etc. This means that the mail is not coming from the originator and getting dropped after failing to deliver after a period of time - it just sits in the queue.
I am not sure how to get around this issue to be honest. Logic suggests that after the same message has been 'deferred' say 10 times, that it should get a rejection, but I suspect this is not programmable.
It looks to me like my only option is to open the floodgates and let my client take care of the spam flood?
Help!
Thanks again guys for your time and efforts and help !
PS - Nano much easier than vi
Posted: 24 Oct 2007, 09:06
by Ubi
Just a few reactions;
Johannes:
I don't see the problems with removing the blacklist checks .if this is what causes the problem
In this case the blacklists were not the problem. Postfix gives a very specific about what went wrong. If a car runs out of oil, would you solve it by changing the tyres??
Re Innersphere:
The problem I have is that the email never leaves the ISP, as they are my Backup MX in case my connection or server is down etc. This means that the mail is not coming from the originator and getting dropped after failing to deliver after a period of time - it just sits in the queue.
I find this very hard to believe. The backup MX may have a very tolerant latency form the primary (can be up to a few days), but it should always return the mail to original sender after the timeout. If they set this to unlimited the backup mx needs repair. Now in this case the FROM adress is forged, so it is impossible to return to sender and the message should indeed be dropped.
Of course the *real* mistake is at the level of the backup MX who should have assured that the message was RFC821 compliant (i.e. no invalid FROM address)
Posted: 24 Oct 2007, 10:47
by innersphere
Ubi - thanks again.
You definitely know too much about RFC's though - lol !!
I will pursue this with my ISP
Update
Posted: 26 Mar 2008, 13:22
by innersphere
Hi all,
I am back again - different problem, but directly related
Message below - please advise
Thanks,
Graeme
All mails sent to me are now getting bounced with the following message:
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
abc@abc.co.uk
SMTP error from remote mailer after RCPT TO:<
abc@abc.co.uk>:
host mail.abc.co.uk [81.174.153.219]:
554 Service unavailable; Client host [82.110.105.38] blocked using relays.ordb.org; ordb.org was shut down on December 18, 2006. Please remove from your mailserver.
Posted: 26 Mar 2008, 13:45
by RonaldJ
Hi,
I have the same sort of problem since this morning!
I get this, while trying to send a message from yahoo:
Remote host said: 554 Service unavailable; Client host [216.252.110.65] blocked using relays.ordb.org; ordb.org was shut down on December 18, 2006. Please remove from your mailserver.
Giving up on <mi ip-adress>.
Until now everything was working fine and I changed nothing....
Posted: 26 Mar 2008, 14:05
by johannes
innersphere, RonaldJ,
Yes, it seems as one of the spam block servers Bubba uses to verify all incoming email against has shut down, and ordb.org apparently chooses to block all email to get people to note this.
A quick fix would be to comment out that check in the mail server configuration file. A small guide on how to do this yourself follows:
- SSH to Bubba. If you don't know how, follow
this guide up until "Examples of use".
- Become root:
Password 'excito' if you haven't changed it.
- Edit the configuration file:
- Scroll down to the section with restrictions, in the end, looking like this:
Code: Select all
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_unauth_pipelining
reject_invalid_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_rbl_client list.dsbl.org
reject_rbl_client relays.ordb.org
reject_rbl_client dnsbl.njabl.org
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client bl.spamcop.net
permit
- Comment out the ordb line:
Code: Select all
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_unauth_pipelining
reject_invalid_hostname
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_non_fqdn_recipient
reject_unknown_recipient_domain
reject_rbl_client list.dsbl.org
# reject_rbl_client relays.ordb.org
reject_rbl_client dnsbl.njabl.org
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client bl.spamcop.net
permit
- Save:
and
to confirm.
- Reload the configuration:
This should do the trick as a quick fix.
Posted: 26 Mar 2008, 14:05
by RonaldJ
Hi again,
I solved it myself with my very thin knowledge of Unix and postfix...
sweaty hands!
I did this:
open main.cf (the postfix config file) in /etc/postfix
find the line with reject(rbl_client relays.ordb.org
put a '#' in front of that
the line now reads '#reject_rbl_client relays.ordb.org'
save the file
tell postfix to use the new file with the command
postfix reload
That's it!
Posted: 26 Mar 2008, 14:07
by RonaldJ
Johannes,
You gave us the right solution while I was writing mine.... My post looks kind of silly now!
Thanks for your help, but I'm proud I found it myself....
Posted: 26 Mar 2008, 14:08
by innersphere
Yeah - I did the same, with even less of said knowledge.
However - I am slightly concerned that this is in the default build, and if I have to rebuild it, I will find myself in the same place again and will have to try remember what I did to fix it
**EDIT** lol - I also just saw johannes' post - but the above still stands
Either way - thanks for the quick replies!!